Frequent CAPTCHA box on phpBB Forum

captcha

#1

Hello,
Since enabling CloudFlare WAF, our Users (phpBB Forum) are quite frequently presented with the ‘I am not a Robot’ check-box and CAPTCHA picture questions, before they are able to post. Sometimes this also results in their post being lost. I am ‘superuser’ and often have to complete a ‘I am not a robot’ box and CAPTCHA picture questions before I can post. I don’t mind this, but some of our users are getting a bit fed up with it - especially if their post is lost in the process!

Ours users are mainly UK based, so we don’t have a Firewall rule for UK visitors to get a CAPTCHA. Has anyone got any clues why this might be, or if there is anything we can do about it?

Any advice welcome!


#2

Top of the list is people using Tor network. Here’s some info on that:

Secondly, what security level are you running? (from your Overview or Security tab at Cloudflare)

If it’s not a Tor issue, and if lowering the Security Level doesn’t help, you can also use the above Security page to increase the Challenge Passage timeout to a day/week/month/year (your choice).


#3

Hi sdayman,
Thanks for the reply and suggestions.
No, our users wouldn’t be using Tor, these are just general public users, with regular ISP’s such as TalkTalk, PlusNet, Vodafone etc.
At the moment, our security level is set to Medium, and our Challenge Passage time is set to 30 minutes (I think these were the default when we joined CloudFlare). If I set the Security Level to “Low” are we still protected by all the same CloudFlare anti-hacking firewall rules? That definitely sounds like it will be the solution to how often our users get challenged, but will lowering that significantly increase our risk of being hacked? Thanks for your further advice!


#4

Lowering the security level isn’t desirable, but it may help you troubleshoot. A less risky solution would be increase that Challenge Passage timeout so users only get the CAPTCHA after a month or more.

I just remembered…try looking on Cloudflare in your Firewall settings. At the very bottom is a list of Firewall events. It may show something being triggered.


#5

Hi sdayman,
Thanks again - I am learning stuff here!

OK I have left the security level at Medium, but increased the Challenge Passage timeout to 1 month. I hadn’t realised what that did before, so thanks for that.

I checked the Firewall events - I specifically searched for the instances recently where I got “challenged” myself. I have a fixed IP address, and I am definitely not trying to hack or attack my own site (!). I was challenged by ‘Rule ID 981176’ with the following explanation: “Inbound Anomaly Score Exceeded (Total Score: 31, SQLi=9, XSS=10): Last Matched Message: IE XSS Filters - Attack Detected.”

I don’t know why my IP address should have an “Anomaly score” or why I should be seen as an attacker? (I promise I’m not!!) Any ideas?


#6

Are you on the paid plan? It’s been a while since I’ve had a Firewall rule trip things up. I believe I had to add a page rule to exclude a specific WAF rule. That doesn’t sound quite right, but I was able to work around normal usage tripping a WAF rule. Give the following article a look. You may have to turn some overzealous rules:

Do you remember what you were doing the triggered the event? SQLi and XSS often get tripped when doing Admin stuff on a website’s back end.

But keep checking that firewall log to see what else may be triggering events.


#7

Hi sdayman,
I really appreciate your help! Yes, I am on a paid (pro) plan.

You’re right, the challenges were been triggered when doing admin in the forum back end, but also when just making a regular post.

I had a good look round the Firewall log, and see that Rule ID 981176 is triggered quite often, but usually it’s correctly triggered by malicious attempts, so I don’t want to disable the rule entirely. Still, your suggestion of increasing the Challenge passage time to 1 month should be enough to keep our users happy.

I’ve also raised a support ticket with CF, to ask if there is a way to prevent false positives without disabling the rule entirely. I couldn’t figure out from the guide if there was a way to do that, but if I find there is I will post it back here.

Thanks to your suggestion of digging down into the firewall logs, I also found out I can ‘whitelist’ my own fixed IP, so that’s a bonus!


#8

Just to add here in case anyone else has this issue, CF advised of two further options to help in this situation.

  1. A page rule to exclude from the WAF the specific endpoint that is triggering the CAPTCHA.
  2. Depending on what kind of rule is being triggered - ours was an OWASP rule - so another option is to lower the OWASP sensitivity from High to Low.

Our issue appears to have been sorted by (1) above… so far, anyway!